Re: [syzbot] KASAN: use-after-free Write in nft_ct_tmpl_put_pcpu

From: Florian Westphal
Date: Mon Aug 09 2021 - 17:40:37 EST

Next message: Al Viro: "Re: [syzbot] BUG: sleeping function called from invalid context in _copy_to_iter"
Previous message: Daniel Latypov: "[PATCH] kunit: tool: allow filtering test cases via glob"
In reply to: Pavel Skripkin: "Re: [syzbot] KASAN: use-after-free Write in nft_ct_tmpl_put_pcpu"
Next in thread: syzbot: "Re: [syzbot] KASAN: use-after-free Write in nft_ct_tmpl_put_pcpu"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pavel Skripkin <paskripkin@xxxxxxxxx> wrote:
> Dumb question: why per_cpu() will return 2 different pointers for CPU 1 and
> CPU 0? As I understand for_each_possible_cpu() will iterate over all
> CPUs which could ever be enabled. So, we can hit situation when 2 concurrent
> processes call per_cpu() with same cpu value (*).

Yes, that is what I was trying to say, the race is that we can have > 1
processes here ever since the global transaction mutex was removed in 2018.

> Anyway, I think, moving locking a bit higher is good here, let's test it. I
> will prepare a patch, if it will pass syzbot testing, thanks!

It looks correct to me, thanks.

Next message: Al Viro: "Re: [syzbot] BUG: sleeping function called from invalid context in _copy_to_iter"
Previous message: Daniel Latypov: "[PATCH] kunit: tool: allow filtering test cases via glob"
In reply to: Pavel Skripkin: "Re: [syzbot] KASAN: use-after-free Write in nft_ct_tmpl_put_pcpu"
Next in thread: syzbot: "Re: [syzbot] KASAN: use-after-free Write in nft_ct_tmpl_put_pcpu"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]